2d7ba983d164b760f1504265992e3c693fbcbe73fa41dab473518a9990721625

Resubmissions

09/06/2023, 13:39

230609-qx2k2sda8t 7

Analysis

max time kernel
56s
max time network
69s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09/06/2023, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CeleryInstaller.exe
Size

185KB
MD5

6582adc44b4173aeb6a1b769d3cb2059
SHA1

41908b1e1ce9803a52452d1fdbb7699d4a5bc076
SHA256

2d7ba983d164b760f1504265992e3c693fbcbe73fa41dab473518a9990721625
SHA512

5d6ff295702a047296cfb0209cd161235a2d0a41bfb0d644867352a476d2b3d48b068f1f19c931a3c2c57ebacd654fb3d24099057e5d3a94f7bef9370ac484a1
SSDEEP

3072:pTl4yD0YLzuU2rPTCrbpmcC80FTOGFkYyVVV8bpmcC80FTOP:tD0YOSrbIb80Z1FkYyVVV8bIb80Z

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3812	Celery.exe

Loads dropped DLL 5 IoCs

pid	Process
3812	Celery.exe
3812	Celery.exe
3812	Celery.exe
3812	Celery.exe
3812	Celery.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
388	3812	WerFault.exe	66

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	CeleryInstaller.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 3812	2288	CeleryInstaller.exe	66
PID 2288 wrote to memory of 3812	2288	CeleryInstaller.exe	66
PID 2288 wrote to memory of 3812	2288	CeleryInstaller.exe	66

C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\CeleryInstaller.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\Celery\Celery.exe
  "C:\Users\Admin\AppData\Local\Temp\Celery\Celery.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 2004
    3⤵
    - Program crash
    PID:388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Celery\Celery.exe

Filesize
4.7MB

MD5
4d48503f5212828e0754d7fdcd85a4b2

SHA1
7283840445ddd16c310b9383b8233641e6257d67

SHA256
c11cf22dca6c34ad1faad67c4005d795a04f44bcb3f9aed91cc3f6945a0fd7bd

SHA512
9e0e2112ca9039c4e28972db93fe50307ba1e4336669bc88f95c2724fc25822364b9bf46b53da38d94fda7cc3868ed45771aea4bcc9cd688b5c74afdb1dd005b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\Celery.exe

Filesize
4.7MB

MD5
4d48503f5212828e0754d7fdcd85a4b2

SHA1
7283840445ddd16c310b9383b8233641e6257d67

SHA256
c11cf22dca6c34ad1faad67c4005d795a04f44bcb3f9aed91cc3f6945a0fd7bd

SHA512
9e0e2112ca9039c4e28972db93fe50307ba1e4336669bc88f95c2724fc25822364b9bf46b53da38d94fda7cc3868ed45771aea4bcc9cd688b5c74afdb1dd005b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\Microsoft.Web.WebView2.Core.dll

Filesize
451KB

MD5
7e2bc58a005e0f41d74ce4b762e0fe89

SHA1
c2afc3173048be6f8b678c42e833e7835913b0b8

SHA256
af0e477405aaad87424cf3930818b4e7901a0077b13b8e0882e9b435ed6f4b4c

SHA512
d4cd340df3787e6c839c9b349069a425fd4f272e5e7478251e435d13a3a7d4ea9a5048cee6386be3874750baab14ede8ebf6009aa1db07b9cea4aa90bbadfd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\Microsoft.Web.WebView2.Wpf.dll

Filesize
43KB

MD5
021975a0451ec73478b2a7a5759105ee

SHA1
e9fbb98a24e8d9ae67d948fbfcbd227961d8c7aa

SHA256
7a6b8c5658fe8ffb05f8df283fe7ee5d2b68bd34aaf70cc847fc7c935fb14767

SHA512
69683b1b8caf1bb6a200b31661ca085b3d9ef263c1d588f8b40d00c2c695f0f6fce3884a52741e9c1051961ccc25dd4c9518d5b17b4be48948577b04a03f41bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\bin\Ace\js\ace\mode-csound_score.js

Filesize
13KB

MD5
6ac188cc35ae0d38d3647a2eef17b2fc

SHA1
2ce02c31e71ff47a20bd77d0cfbd07308a60a92b

SHA256
deb7de2b021dfef5965224192fce2adf20970cba77904f15b200efcfa4a16b67

SHA512
0d18c1951941c34f6bbfc026d35851cf1b7f713161e1e561436e7ba537ed556524c96339b3bdf7cbc55c921c45de8c9a9cdf4836c564145973adba22e7ec4c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\bin\Ace\js\ace\mode-django.js

Filesize
104KB

MD5
597023284ea29d9e98806bd94aa8a253

SHA1
64ee5f07197b0d1dbec675a9096f97fa6c1ca51a

SHA256
ed477e67c1b14b07c0b9ef8cede54e1b06e191306ebfe577e6756de2947edafb

SHA512
2c8ea2cdf0ced0c78c378ccccf167a2231d1fb31d299aacdc9c3df742b28513a69630a99d912d9db2f1c09d107596f64aabb403fe9e4034a9dc5cf5ff76bcc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\bin\Ace\js\ace\mode-ftl.js

Filesize
57KB

MD5
f93860de41fdaa63f5bd52e67e7703df

SHA1
947b852f5973000cc4d1c2ee61195c97e28a917b

SHA256
f829427ba1177f0803218fc649891492729cd6f5ee8eb865c38f8e524fd4533c

SHA512
8bce4f2a730824b2c3adb9bf7593cae03a4bb26b34786789849fcfda28b7d1f90f9c2e39f1afa507a5d5d94ba8e6976cd9cdb2e4bf3267cea7c3006701e1bd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\bin\Ace\js\ace\mode-glsl.js

Filesize
21KB

MD5
5c5d23ce4cb6e23f451758e4fd7e98c9

SHA1
1fbf0cb888d8e70d4197465714f1d3d0fbd8f19a

SHA256
59e269546af3388c4de91888e91a49fed9201f401932c5af0f91d65a300169ca

SHA512
ad4ca86890c3898c6d97537268071f56c8b0696c8ac5b77899d072571f4e8851f78b15ac58313046bc18844a473f4e8d281fdf361afb3a4eda8ce83d1d5694f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\bin\Ace\js\ace\mode-sh.js

Filesize
15KB

MD5
5db4064f359092c69ebbe30d6e036166

SHA1
edd8397c5466ec1ba2e69f63ae550506230e3f55

SHA256
938599faae1be9bd98ddf1ef3db6e799072f401841b75acb3971e26923e5a05f

SHA512
dd3b9c191867cc4f755f4e5fef982e767bcec8d2921bb750418bfc4b75ce4258aea294fb3564aa29a72afe0484cb77dcf4b72714a2809d5a57705127096c109f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\bin\Ace\js\ace\worker-css.js

Filesize
308KB

MD5
646ecbde4ed480deef1f426adff3d730

SHA1
7bd36540cf781abbc285b699e6302c66026e0ca7

SHA256
b8ecdb5e5cab4bb1a72ca02a1260bcfdc6426ebf92feee0c29ef394f9c07229c

SHA512
d7a5ca49950b4ee00a4678ab2aae2ac52b40c89c29e59c7c3b717db845f6958f2ee3ab3d3e7c701bd53ebebfad54a91196205661d08b38b0106e0965cad5e4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celery\runtimes\win-x86\native\WebView2Loader.dll

Filesize
112KB

MD5
578b9a2d5baa0dc780bd20b7d68f3e7d

SHA1
c17a61599736e5c5fa344251e7757c239fab5094

SHA256
75ec3d7faaf3f8a7e390d229678cf54c606f3dc2312c00531c58406d90f93156

SHA512
a052a9dbd606ef94847fdc6102baa4e4f24120fcf3e53c4e6dd7d9aab5f120c40c4b33080808b25076d463854dbc055350aa2629d1dbc060288d48a38642b90c

Download Submit
\Users\Admin\AppData\Local\Temp\Celery\Microsoft.Web.WebView2.Core.dll

Filesize
451KB

MD5
7e2bc58a005e0f41d74ce4b762e0fe89

SHA1
c2afc3173048be6f8b678c42e833e7835913b0b8

SHA256
af0e477405aaad87424cf3930818b4e7901a0077b13b8e0882e9b435ed6f4b4c

SHA512
d4cd340df3787e6c839c9b349069a425fd4f272e5e7478251e435d13a3a7d4ea9a5048cee6386be3874750baab14ede8ebf6009aa1db07b9cea4aa90bbadfd8f

Download Submit
\Users\Admin\AppData\Local\Temp\Celery\Microsoft.Web.WebView2.Core.dll

Filesize
451KB

MD5
7e2bc58a005e0f41d74ce4b762e0fe89

SHA1
c2afc3173048be6f8b678c42e833e7835913b0b8

SHA256
af0e477405aaad87424cf3930818b4e7901a0077b13b8e0882e9b435ed6f4b4c

SHA512
d4cd340df3787e6c839c9b349069a425fd4f272e5e7478251e435d13a3a7d4ea9a5048cee6386be3874750baab14ede8ebf6009aa1db07b9cea4aa90bbadfd8f

Download Submit
\Users\Admin\AppData\Local\Temp\Celery\Microsoft.Web.WebView2.Wpf.dll

Filesize
43KB

MD5
021975a0451ec73478b2a7a5759105ee

SHA1
e9fbb98a24e8d9ae67d948fbfcbd227961d8c7aa

SHA256
7a6b8c5658fe8ffb05f8df283fe7ee5d2b68bd34aaf70cc847fc7c935fb14767

SHA512
69683b1b8caf1bb6a200b31661ca085b3d9ef263c1d588f8b40d00c2c695f0f6fce3884a52741e9c1051961ccc25dd4c9518d5b17b4be48948577b04a03f41bc

Download Submit
\Users\Admin\AppData\Local\Temp\Celery\Microsoft.Web.WebView2.Wpf.dll

Filesize
43KB

MD5
021975a0451ec73478b2a7a5759105ee

SHA1
e9fbb98a24e8d9ae67d948fbfcbd227961d8c7aa

SHA256
7a6b8c5658fe8ffb05f8df283fe7ee5d2b68bd34aaf70cc847fc7c935fb14767

SHA512
69683b1b8caf1bb6a200b31661ca085b3d9ef263c1d588f8b40d00c2c695f0f6fce3884a52741e9c1051961ccc25dd4c9518d5b17b4be48948577b04a03f41bc

Download Submit
\Users\Admin\AppData\Local\Temp\Celery\runtimes\win-x86\native\WebView2Loader.dll

Filesize
112KB

MD5
578b9a2d5baa0dc780bd20b7d68f3e7d

SHA1
c17a61599736e5c5fa344251e7757c239fab5094

SHA256
75ec3d7faaf3f8a7e390d229678cf54c606f3dc2312c00531c58406d90f93156

SHA512
a052a9dbd606ef94847fdc6102baa4e4f24120fcf3e53c4e6dd7d9aab5f120c40c4b33080808b25076d463854dbc055350aa2629d1dbc060288d48a38642b90c

Download Submit
memory/2288-131-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/2288-130-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/2288-153-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/2288-122-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/2288-123-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/2288-124-0x0000000006360000-0x0000000006368000-memory.dmp

Filesize
32KB

Download
memory/2288-135-0x0000000009F80000-0x0000000009F92000-memory.dmp

Filesize
72KB

Download
memory/2288-134-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/2288-133-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/2288-132-0x000000000A970000-0x000000000AA46000-memory.dmp

Filesize
856KB

Download
memory/2288-121-0x0000000000F40000-0x0000000000F74000-memory.dmp

Filesize
208KB

Download
memory/2288-136-0x0000000009E60000-0x0000000009E6A000-memory.dmp

Filesize
40KB

Download
memory/2288-129-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/2288-128-0x0000000008810000-0x000000000881A000-memory.dmp

Filesize
40KB

Download
memory/2288-127-0x00000000087E0000-0x00000000087EE000-memory.dmp

Filesize
56KB

Download
memory/2288-125-0x00000000098A0000-0x00000000098D8000-memory.dmp

Filesize
224KB

Download
memory/2288-126-0x00000000059B0000-0x00000000059C0000-memory.dmp

Filesize
64KB

Download
memory/3812-744-0x00000000061E0000-0x0000000006254000-memory.dmp

Filesize
464KB

Download
memory/3812-740-0x0000000006140000-0x00000000061D2000-memory.dmp

Filesize
584KB

Download
memory/3812-739-0x0000000006040000-0x000000000604E000-memory.dmp

Filesize
56KB

Download
memory/3812-158-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download
memory/3812-157-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download
memory/3812-156-0x0000000000BA0000-0x0000000001062000-memory.dmp

Filesize
4.8MB

Download
memory/3812-749-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download